1 min read.Updated: 15 Jun 2021, 06:53 PM ISTLivemint
Researcher found that the vulnerability could allow an attacker to take control of a user’s account
A researcher at security firm Tenable has found a vulnerability in Microsoft’s Teams application, the company detailed in a blog yesterday. Evan Grant, a researcher in Tenable’s Zero-Day team, found that the vulnerability could allow an attacker to take control of a user’s account. “This could grant the attacker access to the victim’s chat history, the ability to read and send emails on the victim’s behalf, and access files in their OneDrive storage," the company said in a blog post.
The vulnerability, which has now been patched by Microsoft, would affect enterprise users of the company’s software. The Teams application has gained steam over the past year, acquiring millions of new users. Microsoft has said that Teams now has over 100 million users, though that number would also use regular consumers of its software.
“This vulnerability could be leveraged by a threat actor in a number of different scenarios including reading team chats, sending emails and messages as if from another trusted user, and even accessing, downloading or tampering with files," Grant said. “We’re all warned to distrust communications from an external source, but vulnerabilities like this reveal the potential threat posed by the platforms, people and teams we trust," he added.
The vulnerability actually came through the PowerApps service Microsoft offers to businesses. This allows them to create business-specific use cases on Microsoft’s products, like Teams, Excel and more. Attackers could exploit the lack of URL verification in PowerApps to exploit a company’s users, which can be catastrophic for them. “The severity of this vulnerability is amplified by the permissions granted to Microsoft Power Apps within Microsoft Teams," the company said on its blog. “Successful exploitation of this flaw allows attackers to take control of any users that access the malicious tab. This includes reading the victim users’ group messages within Teams, accessing the users’ email and OneDrive storage, and more," it added.
The flaw was what is called a “server-side vulnerability" in security parlance. These are vulnerabilities that exist on the servers that power Microsoft’s apps, software and services. Such vulnerabilities can be fixed by companies without user action, but system administrators may still want to recheck their systems for possible exploits.